Mercurial > kallithea
changeset 6493:fffb4e73700e
vcs: restructure authorization check
This is a pure refactoring, except for some changed debug log messages.
With this change, we simply return early if anonymous (= default user)
access is enabled, which should help overall readability.
(Diff becomes clearer if whitespace changes are ignored.)
| author | Søren Løvborg <sorenl@unity3d.com> |
|---|---|
| date | Tue, 14 Feb 2017 20:27:45 +0100 |
| parents | b5551ad26fa3 |
| children | c72fe7e3b17f |
| files | kallithea/lib/base.py |
| diffstat | 1 files changed, 46 insertions(+), 52 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/base.py Wed Jan 04 23:01:48 2017 +0100 +++ b/kallithea/lib/base.py Tue Feb 14 20:27:45 2017 +0100 @@ -203,64 +203,58 @@ Returns (user, None) on successful authentication and authorization. Returns (None, wsgi_app) to send the wsgi_app response to the client. """ - anonymous_user = User.get_default_user(cache=True) - user = anonymous_user - if anonymous_user.active: - # ONLY check permissions if the user is activated - anonymous_perm = self._check_permission(action, anonymous_user, - repo_name, ip_addr) + # Check if anonymous access is allowed. + default_user = User.get_default_user(cache=True) + is_default_user_allowed = (default_user.active and + self._check_permission(action, default_user, repo_name, ip_addr)) + if is_default_user_allowed: + return default_user, None + + if not default_user.active: + log.debug('Anonymous access is disabled') else: - anonymous_perm = False + log.debug('Not authorized to access this ' + 'repository as anonymous user') - if not anonymous_user.active or not anonymous_perm: - if not anonymous_user.active: - log.debug('Anonymous access is disabled, running ' - 'authentication') + username = None + #============================================================== + # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE + # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS + #============================================================== - if not anonymous_perm: - log.debug('Not enough credentials to access this ' - 'repository as anonymous user') - - username = None - #============================================================== - # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE - # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS - #============================================================== + # try to auth based on environ, container auth methods + log.debug('Running PRE-AUTH for container based authentication') + pre_auth = auth_modules.authenticate('', '', environ) + if pre_auth is not None and pre_auth.get('username'): + username = pre_auth['username'] + log.debug('PRE-AUTH got %s as username', username) - # try to auth based on environ, container auth methods - log.debug('Running PRE-AUTH for container based authentication') - pre_auth = auth_modules.authenticate('', '', environ) - if pre_auth is not None and pre_auth.get('username'): - username = pre_auth['username'] - log.debug('PRE-AUTH got %s as username', username) + # If not authenticated by the container, running basic auth + if not username: + self.authenticate.realm = safe_str(self.config['realm']) + result = self.authenticate(environ) + if isinstance(result, str): + paste.httpheaders.AUTH_TYPE.update(environ, 'basic') + paste.httpheaders.REMOTE_USER.update(environ, result) + username = result + else: + return None, result.wsgi_application - # If not authenticated by the container, running basic auth - if not username: - self.authenticate.realm = \ - safe_str(self.config['realm']) - result = self.authenticate(environ) - if isinstance(result, str): - paste.httpheaders.AUTH_TYPE.update(environ, 'basic') - paste.httpheaders.REMOTE_USER.update(environ, result) - username = result - else: - return None, result.wsgi_application + #============================================================== + # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME + #============================================================== + try: + user = User.get_by_username_or_email(username) + if user is None or not user.active: + return None, webob.exc.HTTPForbidden() + except Exception: + log.error(traceback.format_exc()) + return None, webob.exc.HTTPInternalServerError() - #============================================================== - # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME - #============================================================== - try: - user = User.get_by_username_or_email(username) - if user is None or not user.active: - return None, webob.exc.HTTPForbidden() - except Exception: - log.error(traceback.format_exc()) - return None, webob.exc.HTTPInternalServerError() - - #check permissions for this repository - perm = self._check_permission(action, user, repo_name, ip_addr) - if not perm: - return None, webob.exc.HTTPForbidden() + #check permissions for this repository + perm = self._check_permission(action, user, repo_name, ip_addr) + if not perm: + return None, webob.exc.HTTPForbidden() return user, None